Also increase add PLAT_ARM_SP_MAX_SIZE to override the default
ARM_SP_MAX_SIZE to support Trusty image and move OPTEE_SP_FW_CONFIG
documentation to build-internals.rst as it's not externally set-able.
Signed-off-by: Arunachalam Ganapathy <arunachalam.ganapathy@arm.com>
Signed-off-by: Boyan Karatotev <boyan.karatotev@arm.com>
Change-Id: Ief90ae9113d32265ee2200f35f3e517b7b9a4bea
Exclude the threat of power analysis side-channel attacks
from consideration in the TF-A generic threat model.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: I5b245f33609fe8948e473ce4484898db5ff8db4d
Update the FVP TC2 model version and build (11.23/17) to match
the version used for testing in TF-A OpenCI.
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Change-Id: Ic7411ee4863428b7dfbe43cf39abfc2269f3c3ae
Add support for feat mte2. tfsr_el2 is available only with mte2,
however currently its context_save/restore is done with mte rather than
mte2, so introduce 'is_feat_mte2_supported' to check mte2.
Change-Id: I108d9989a8f5b4d1d2f3b9865a914056fa566cf2
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
This model has been subsumed by the `FVP_Base` model, which is now
available publicly. We no longer have a need to test the Foundation
model, and can shave off a few minutes of CI time by removing it.
Change-Id: Iaa0f23f2efd9ba431d06c8da2be14b76f6974b0a
Signed-off-by: Chris Kay <chris.kay@arm.com>
Explain that platforms are free to define their own Chain of Trust (CoT)
based on their needs but default ones are provided in TF-A source code:
TBBR, dualroot and CCA.
Give a brief overview of the use case for each of these CoTs.
Simplified diagrams are also provided for the TBBR and dualroot CoTs -
CCA CoT is missing such a diagram right now, it should be provided as a
future improvement.
Also do some cosmetic changes along the way.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I7c4014d4d12d852b0ae5632ba9c71a9ad266080a
In RME documentation use "bp.secure_memory=0" to disable TZC,
and avoid conflicts with SPM in 4-world configuration.
Signed-off-by: J-Alves <joao.alves@arm.com>
Change-Id: I532bca8ab3bd3e6d4f18b5aa7e848c533e016f39
Cortex-A715 erratum 2561034 is a Cat B erratum that applies to
revision r1p0 and is fixed in r1p1.
The workaround is to set bit[26] in CPUACTLR2_EL1. Setting this
bit is not expected to have a significant performance impact.
SDEN documentation:
https://developer.arm.com/documentation/SDEN2148827/latest
Change-Id: I377f250a2994b6ced3ac7d93f947af6ceb690d49
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Section "Describing the authentication method(s)" of the Authentication
Framework documentation shows the authentication parameters types
(auth_param_type_t enum type) but is missing the AUTH_PARAM_NV_CTR
value. Add it.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I7c9022badfb039bfa9f999ecee40f18b49e6764c
The former link pointed to a page which displayed the following warning
message:
We could not find that page in the latest version, so we have taken
you to the first page instead
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: Icf9277770e38bc5e602b75052c2386301984238d
* changes:
feat(arm): move GPT setup to common BL source
feat(arm): retrieve GPT related data from platform
refactor(arm): rename L0/L1 GPT base macros
- Warn contributors that they need to register their email address in
their Gerrit profile. Not doing so causes errors at patch submission
and is a recurrent question on the mailing list.
- Add some links where useful.
- Remove confusing CGit link to TF-A source code. In the context of
setting up a local copy of the repo for contributing patches,
developers should rather clone it through Gerrit and this is best
covered by the "Getting the TF-A Source" section of TF-A
documentation.
- Add references to the OpenCI documentation, which has a lot more
details on some of the topics we briefly cover in the contribution
guidelines.
- Encourage the user to use the 'git review' command for patch
submission, inline with OpenCI documentation instructions. This
automatically sorts out which Gerrit server to push to and against
which repo branch (thanks to the '.gitreview' configuration file in
TF-A root directory).
- Elaborate the Coverity Scan section.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I1131662d8bc3502967b269a599869ea130897efb
This feature provides support to context save the
SCXTNUM_ELx register. FEAT_CSV2_3 implies the implementation
of FEAT_CSV2_2. FEAT_CSV2_3 is supported in AArch64 state only
and is an optional feature in Arm v8.0 implementations.
This patch adds feature detection for v8.9 feature FEAT_CSV2_3,
adds macros for ID_AA64PFR0_EL1.CSV2 bits [59:56] for detecting
FEAT_CSV2_3 and macro for ENABLE_FEAT_CSV2_3.
Change-Id: Ida9f31e832b5f11bd89eebd6cc9f10ddad755c14
Signed-off-by: Sona Mathew <sonarebecca.mathew@arm.com>
TF-A aims to comply with MISRA C:2012 Guidelines. We maintain a list of
all rules and directives and whether the project aims to comply with
them or not. A rationale is given for each deviation.
This list used to be provided as an '.ods' spreadsheet file hosted on
developer.trustedfirmware.org. This raises the following issues:
- The list is not version-controlled under the same scheme as TF-A
source code. This could lead to synchronization issues between the
two.
- The file needs to be open in a separate program, which is not as
straightforward as reading it from TF-A documentation itself.
- developer.trustedfirmware.org is deprecated, thus the file cannot be
safely kept there for any longer.
To address these issues, convert the '.ods' file into a CSV (Comma
Separated Values) file, which we import into TF-A source tree itself.
Make use of Sphinx's ability to process and render CSV files as tables
to display that information directly into the Coding Guidelines
document.
Also make the following minor changes along the way:
- Remove dead link to MISRA C:2012 Guidelines page. Replace it with a
link to a Wikipedia page to give a bit of context to the reader.
- We no longer use Coverity for MISRA compliance checks. Instead, we
use ECLAIR nowadays. Reflect this in the document.
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I422fdd8246f4f9c2498c1be18115408a873b86ac
developer.trustedfirmware.org is deprecated so we cannot use its issues
tracker anymore. Instead, the project will now make use of the issues
tracker associated with the project's Github mirror at [1].
Reflect this change in TF-A documentation.
[1] https://github.com/TrustedFirmware-A/trusted-firmware-a/issues
Signed-off-by: Sandrine Bailleux <sandrine.bailleux@arm.com>
Change-Id: I912f7dafc74368dba4e61ba4c9f358d5bf8346a9
Cortex X3 erratum 2641945 is a Cat B erratum that applies to all
revisions <= r1p0 and is fixed in r1p1.
The workaround is to disable the affected L1 data cache prefetcher
by setting CPUACTLR6_EL1[41] to 1. Doing so will incur a performance
penalty of ~1%. Contact Arm for an alternate workaround that impacts
power.
SDEN documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: Ia6d6ac8a66936c63b8aa8d7698b937f42ba8f044
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
As of now, GPT setup is being handled from BL2 for plat/arm platforms.
However, for platforms having a separate entity to load firmware images,
it is possible for BL31 to setup the GPT. In order to address this
concern, move the GPT setup implementation from arm_bl2_setup.c file to
arm_common.c. Additionally, rename the API from arm_bl2_gpt_setup to
arm_gpt_setup to make it boot stage agnostic.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I35d17a179c8746945c69db37fd23d763a7774ddc
For RME-enabled platforms, initializing L0 and L1 tables and enabling
GPC checks is necessary. For systems using BL2 to load firmware images,
the GPT initialization has to be done in BL2 prior to the image load.
The common Arm platform code currently implements this in the
"arm_bl2_plat_gpt_setup" function, relying on the FVP platform's
specifications (PAS definitions, GPCCR_PPS, and GPCCR_PGS).
Different Arm platforms may have distinct PAS definitions, GPCCR_PPS,
GPCCR_PGS, L0/L1 base, and size. To accommodate these variations,
introduce the "plat_arm_get_gpt_info" API. Platforms must implement
this API to provide the necessary data for GPT setup on RME-enabled
platforms. It is essential to note that these additions are relevant to
platforms under the plat/arm hierarchy that will reuse the
"arm_bl2_plat_gpt_setup" function.
As a result of these new additions, migrate data related to the FVP
platform to its source and header files.
Signed-off-by: Rohit Mathew <Rohit.Mathew@arm.com>
Change-Id: I4f4c8894c1cda0adc1f83e7439eb372e923f6147
The current documentation of the FEATURE_DETECTION build option seems
to suggest that this macro enables the dynamic runtime checking of
features, although this is done regardless of this debug feature.
FEATURE_DETECTION just adds the detect_arch_features() function to the
build and calls it early on, plus it enables the CPU errata order
checking.
Simplify the description of the FEATURE_DETECTION macro to make this
clear, and move the dynamic feature detection description into a
separate section, before all the specific ENABLE_FEAT_xxx explanations.
This also renames all mentioning of:
"... to align with the FEATURE_DETECTIION mechanism ..."
with:
"... to align with the ENABLE_FEAT mechanism ..."
in the description of each feature.
Change-Id: I5f4dd2d1e43bd440687b7cee551d02ec853d4e23
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Currently CTX_INCLUDE_MTE_REGS is used for dual purpose,
to enable allocation tags register and to context save and restore
them and also to check if mte feature is available.
To make it more meaningful, remove CTX_INCLUDE_MTE_REGS
and introduce FEAT_MTE. This would enable allocation tags register
when FEAT_MTE is enabled and also supported from platform.
Also arch features can be conditionally enabled disabled based on
arch version from `make_helpers/arch_features.mk`
Change-Id: Ibdd2d43874634ad7ddff93c7edad6044ae1631ed
Signed-off-by: Govindraj Raja <govindraj.raja@arm.com>
* changes:
fix(xilinx): add console_flush() before shutdown
fix(xilinx): fix sending sgi to linux
feat(xilinx): add new state to identify cpu power down
feat(xilinx): request cpu power down from reset
feat(xilinx): power down all cores on receiving cpu pwrdwn req
feat(xilinx): add handler for power down req sgi irq
feat(xilinx): add wrapper to handle cpu power down req
fix(versal-net): use arm common GIC handlers
fix(xilinx): rename macros to align with ARM
Software supply chain attacks aim to inject malicious code into a
software product. There are several ways a malicious code can be
injected into a software product (open-source project).
These include:
- Malicious code commits
- Malicious dependencies
- Malicious toolchains
This document provides analysis of software supply chain attack
threats for the TF-A project
Change-Id: I03545d65a38dc372f3868a16c725b7378640a771
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Added a threat model for PSA firmware update as well as TBBR FWU aka
firmware recovery.
Change-Id: I2396e13144076d7294f61f6817e1a8646225c6c2
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
Update CoT binding documentation to add the signing-key property
as optional in root-certificates and add rot_keys node
Change-Id: I1d1fbc0394275520cfa43213d5b7006e51990fdd
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
Cortex-A78C erratum 2683027 is a cat B erratum that applies to
revisions r0p1 - r0p2 and is still open. The workaround is to
execute a specific code sequence in EL3 during reset.
SDEN can be found here:
https://developer.arm.com/documentation/SDEN-2004089/latest
Change-Id: I2bf9e675f48b62b4cd203100f7df40f4846aafa8
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Cortex-X3 erratum 2266875 is a Cat B erratum that applies to
all revisions <= r1p0 and is fixed in r1p1. The workaround is to
set CPUACTLR_EL1[22]=1 which will cause the CFP instruction to
invalidate all branch predictor resources regardless of context.
SDEN Documentation:
https://developer.arm.com/documentation/2055130/latest
Change-Id: I9c610777e222f57f520d223bb03fc5ad05af1077
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Cortex-X3 erratum 2302506 is a cat B erratum that applies to
revisions r0p0-r1p1 and is fixed in r1p2. The workaround is to
set bit[0] of CPUACTLR2 which will force PLDW/PFRM ST to behave
like PLD/PRFM LD and not cause invalidation to other PE caches.
There might be a small performance degradation to this workaround
for certain workloads that share data.
SDEN can be found here:
https://developer.arm.com/documentation/2055130/latest
Change-Id: I048b830867915b88afa36582c6da05734a56d22a
Signed-off-by: Bipin Ravi <bipin.ravi@arm.com>
Added an assumption in generic threat model that platform's hardware
conforms the Platform Security Requirements specification.
Change-Id: I753287feec1cd459edfd3d1c103e0e701827cc05
Signed-off-by: Manish V Badarkhe <Manish.Badarkhe@arm.com>
On receiving CPU power down callback, TF-A raises SGI interrupt to all active
cores to power down each active cores. Add handler for this SGI IRQ.
By default TF-A uses SGI 6 for CPU power down request. This can be
configurable through CPU_PWRDWN_SGI build flag.
e.g., If user wants to use SGI 7 instead of SGI 6 then provide build
flag CPU_PWRDWN_SGI=7
Signed-off-by: Jay Buddhabhatti <jay.buddhabhatti@amd.com>
Change-Id: Id0df32187d1de3f0af4486eb4d4930cb3ab01dbd
